Signing a key (meaning)

takethebus at takethebus at
Fri Apr 8 01:33:37 CEST 2011

Thanks everybody for all the answers. 
The reason I asked this quetion is that I wonder how I can check whether the email address in the ID realy belongs to the keyowner. 

Let's say I've been knowing Peter Hansen for quite some time, but I don't know his email address. Now he tells me it's funny1982 at and sends me his public key with the ID "Peter Hansen funny1982 at". I'd like to sign that key after having made a fingerprint check with him on the phone. How can I make sure it's not someone elses address he illegaly has access to? 

The only possible answer is to wait a year or something and have email contact with him and see whether nothing suspicious happens. If nothing suspicious happens, I'd believe it's really his address. 

But I don't want to wait a year with signing and why is it of importance to check whether it's really his address at all? 

If the address belongs to Anna, and Marie sends an encrypted messages to funny1982 at intented only for Peter to read, Anna will not be able to read the message. If Marie intends to send a message to Anna, she will not use the key, because it's "Peter Hansen" written in the ID. She will just ignore my signature. 

In one of the relpies I got, Kevin said there might be a problem: 

>Marie wants to send Anna a message. Marie uses an email program, with
>GnuPG integration, which automatically selects an encryption key based
>on the email address entered into a composed message. Because you have
>signed the key which has User ID "Peter Hansen <anna at>", and
>depending on Marie's trust settings, the message may be encrypted and
>sent to that email address, with no further alerts. Peter reads the
>message intended for Anna.

>In the hypothetical case I present, it is perhaps Marie's fault for not
>being more diligent in examining the keys she uses, but I think it is
>plausible that a "normal user" might rely on software to automate a task
>like that, without paying close attention to what's really going on. 

In reality, Marie needs to download Anna's key from a server, if she really wants to send encrypted messages to Anna. Let's say she searches for funny1982 at Then the following list appears:

ID: "Anna Hoffman funny1982 at"
ID: "Peter Hansen funny1982 at" (signed by me). 

If she is aware of security issues, she'll only download "Anna Hoffman funny1982 at", so there will be no problems. I wonder what happens, if she has both keys on her computer. I bet the standard software described above will ask her which key to use. What do you think? 

Finally I don't see a practial way to really check the email address, so I think it's best if we are honest and say Marie is responsible for checking the name in the users ID before she uses/downloads it and the keyowner is responsible for putting an email address in the ID he has access to. 

What do you think?
Take care,

More information about the Gnupg-users mailing list